.Global - The way we act on Security Threats

The way we act on Security Threats

The way we act on Security Threats

On October 20, 2017 ICANN published a Framework for Registry Operator’s Response to Security Threats. This blog post describes how we respond and act when we detect or receive a report of a security threat under this Framework.



Refer the issue to the Registrar

“Referral is often the first response employed by a RO because it is the Registrar that has the contractual relationship with the Registrant of the domain name. The Registrar should be given a time-bound opportunity to investigate the security threat and respond appropriately. A negative or non-existent response from the Registrar should not preclude the Registry from taking action.”

.GLOBAL action: The .GLOBAL namespace is monitored for suspicious behavior on a 24x7x365 (for more information on how we monitor our namespace see our previous article here) . When we receive a report about suspicious behavior on a .GLOBAL label we start an internal investigation. Based on the nature of the threat, the sponsoring registrar MAY be notified. This notification may include, if possible, details about the threats including the source.

Hold the domain name so it does not resolve

“Applying serverHold status removes the domain name from the TLD zone file, with the consequence that the domain name will no longer resolve on the public Internet. An additional benefit is that this action is easy to reverse in case of mistake.”

.GLOBAL action: In cases where the suspicious behavior is obvious, the serverHold status will be set and then the sponsoring Registrar will be notified. The sponsoring Registrar has the option to add clientHold (in addition to the serverHold). If the sponsoring Registrar update the label with clientHold, the serverHold may be removed by the Registry indicating the sponsoring Registrar get the control and responsibility for any further action.

Lock the domain name so it cannot be changed

“Although rarely used for security threats, applying lock status means that a domain cannot be transferred, deleted or have its details modified, but will still resolve. It is occasionally seen as part of an action where a domain is locked in conjunction with the seizure of its name servers.”

.GLOBAL action: In very rare cases, .GLOBAL MAY update the label with serverTransferProhibited, serverUpdateProhibited and serverDeleteProhibited. The sponsoring Registrar will be informed. If the sponsoring Registrar adds clientDeleteProhibited, clientTransferProhibited and clientUpdateProhibited, the server side settings will be removed indicating the sponsoring Registrar get the control and responsibility for any further action.

Redirect name services for the domain name

“A Registry has the technical ability to change a domain name’s nameservers. By changing the nameservers for the domain name, services associated with the domain name can be redirected for “sink-holing” (logging traffic) to identify victims for the purposes of remediation”

.GLOBAL action: Afilias is the selected Registry Service Provider (RSP) for .global. In very rare cases, the suspicious label can be redirected to the Afilias “sink-holing” DNS servers.

Transfer the domain name

“The transfer of a domain to a suitably-qualified Registrar may prevent exploitation, whilst allowing for management of lifecycle, EPP status codes, and expiration.”

.GLOBAL action: .GLOBAL has signed an Registry Registrar Agreement (RRA) with Stichting Registrar of Last Resort Foundation (RoLR). In special cases, a suspicious label MAY be transferred to RoLR in cooperation with the losing Registrar.

Delete the domain name

“Deletion is an extreme action and not generally recommended without careful due diligence and direction from the appropriate authorities. Restoring a domain name, if the deletion is found to be inappropriate, may involve additional burdens that are not manifest when placing a domain name on serverHold. Deletion is generally not as effective at mitigating security threats as suspension, as a registrant is free to re-register the domain name after it is purged from the zone.”

.GLOBAL action: .GLOBAL will only delete a suspicious label IF instructed by a court order

Take no action

“This option is always available. Registry policy may limit action under specific circumstances or it may be the default action if no other response is appropriate. Similarly, a RO may reach the conclusion that a referred matter does not constitute a security threat or that the consequences of action outweigh the threat itself. As a matter of courtesy, the RO should respond to the originator of a security threat indicating why this is the response to the reported security threat.”

.GLOBAL action: The Registry MAY not act if a suspicious label is already being investigated by the sponsoring Registrar OR internal investigation indicate no evidence of abuse OR the nature of suspicious behavior is not included in the Specification 11.3B cases to be actioned.

UNREGISTERED DOMAIN NAMES [Domain Generation Algorithm (DGA)]

Create the domain name

“Registering a potentially malicious domain name seems counterintuitive; but when done in controlled conditions, it enables researchers and public safety organizations such as Computer Emergency Readiness Teams (CERTs) to take appropriate action (such as sinkholing) on a domain name. Similarly to the transfer option above, this helps identify victim computers for mitigation purposes. Additionally, use of the domain name is denied to bad actors as with the block option below.
The RO generally has discretion as to whether it delegates previously unregistered domains to a suitably-qualified registrar, or its own internal registrar. ROs should be sure that they seek any appropriate or necessary waiver(s) from ICANN with regards to certain contractual provisions of the RO’s respective Registry Agreement. This is currently achieved through ICANN’s Expedited Registry Security Request (ERSR) process. The timing of the receipt of the waiver is dependent upon ICANN.”

.GLOBAL action: In cases where .GLOBAL is being informed by CERTs to create a label. .GLOBAL will cooperate with a selected Registrar to execute.

Block registration of the domain name

“Where agreed, the RO may reserve the requested domain name. Requestor should work with the RO to establish an appropriate time limit for the block, if any.”

.GLOBAL action: .GLOBAL will cooperate with the requestor.